Posts

Showing posts from 2018

Becoming a (very Jn.) Hacker, how to, and my 1st Black Box Test

~ This is not a technical post, its a story post.
~ A story to whom just like stories, or to whom like to learn some lessons, and especially to anyone that wants to become a hacker.

Lately (like 6 last months) i'm starting to really go into hacking, it always interested me, but i could never find the time, plus, there was always another challenge @work like the new Angular.

But with time and effort, payment has become bigger, and with it my time.

And the 1st thing was how... from some videos and many SQL injections or XSS, DVWA ect. I didnt feel i'm learning anything other then extra web security.

Finally i found OverTheWire website, and finally i learn some "real" things, linux, php, memory, crypto, ssh, ect., all basics that I, as a web-programmer, had no clue. Only the web-based challenges were "natural" for me.

I can say that there I learned lesson no.1 - LEARNING.
In the world of hacking, you must be a weary-less learner, new things every time again, a…

Damn Vulnerable Web Application (DVWA) - File Inclusion and WebShells

today we are going to have some fun understanding the full potential of File Inclusion attacks.

my goals for today

1. a few words, Disclaimer, Lab, and links.
2. Web Shells intro with DVWA
3. How to complete the File Inclusion challenge in the new DVWA
4. Metasploit



1. a few words, Disclaimer, Lab, and links.


DISCLAIMER - if you do what i teach you today you WILL go to jail. so dont do this outside of your lab.

Setting up the lab -
For a hacking lab download either VirtualBox or VMWare, or, if you own win10pro, you have Hyper-V. With those you can create virtual machines, and you will need 2 today, one with DVWA, and another as the attacker, which for ease better be kali, download machines from osboxes.

For DVWA you can either download Metasploitable 2 or set up dvwa in some machine.
In my case i just turned them both on an internal network, so they can see each other but no internet (might need to set up DHCP if you dont have any ip).

For basic help about solving dvwa's file inclu…

Damn Vulnerable Web Application (DVWA) - installation 2018

for anyone trying today to install DVWA, thing changed a little, took me a while to get it working, so here it is:

IMPORTANT - su if you are not root user (i.e. not kali)

1. download the latest version 

to get it working with MariaDB and PHP v7.x

wget https://github.com/ethicalhack3r/DVWA/archive/master.zip && unzip master.zip

unzip under /var/www/html, rename folder to dvwa


2. config file

cd /var/www/html/dvwa/config
cp config.inc.php.dist config.inc.php
gedit config.inc.php

create captcha keys
https://www.google.com/recaptcha/intro/index.html
and set in $_DVWA[ 'recaptcha_public/private_key' ]

start at low difficulty

$_DVWA[ 'default_security_level' ] = 'low';

you need to clean cookies if the dvwa was running

3. set user in MariaDB

sudo service mysql start
mysql -u root -p

db commands...

mysql > create database dvwa;
mysql > CREATE USER dvwa@localhost IDENTIFIED BY 'p@ssw0rd';
mysql > grant all on dvwa.* to dvwa@localhost;
mysql > flush privilege…

Real Hacking Challenge - victim behind ssh

Image
the challenge is like this, i have the attacker machine (A), which connect with ssh client to another machine (B), which run ssh server (daaa...), these 2 are connected to the internet, but (B) is also connected to an internal network, and there there is a WIN10 machine (C), NOT connected to the internet but to (B) as said.

we will use the help of ssh, ShellTer to try also do it with windows defender on.

to succeed we will try to do this from bottom to top.

*DISCLAIMER - all this is illegal, and you may only do it at your lab, if you hack really you will go to jail.

*BIG NOTE : sometimes stuff just dont work, restarting (not power off) the machines, and the services refreshes stuff and then they work.


PLAN

1. prepare lab
2. test exploit on xp
3. test 3 machines ssh with 3 linux
4. exploit xp via ssh
5. exploit win10
6. test ssh with win 10
7. exploit win10 via ssh





1. preparing lab

using VBox (doesnt matter) i will create 4 machines, an arbitrary linux for ssh server, winXP for testings,…

VBOX Windows XP - how to use internet

1. right-click on the machine -> settings -> network -> choose NAT -> expand advnaced ->
choose "PCnet-FAST III(...)"

2. run cmd -> "inetcpl.cpl" -> advanced -> enable "use TLS 1.0"

3. open IE -> go to "www.bing.com" -> search "download firefox/chrome" -> do the usual with choosing "Yes" a zillion times every time he complains about the certificate.

-chrome do all kinda troubles sometimes with xp

4.1 with chrome and browse to "www.google.com", in the error screen click advanced -> proceed.

4.2 with firefox, just browse and enjoy

P.S. - if you have bridged connection problems try to change MAC

What every Browser knows about you

using this nice tool http://webkay.robinlinus.com/ to see how anon i can get, lets go

table will contain:
method (browser + proxy/vpn), location, OS, browser, plugins (of browser), hardware, prev page, public ip, local ip, ISP, speed.



surfing with just chrome, normal connection, the site i am visiting knows everything about me, that i use chrome (and what version), my location, my OS, my display hardware, the last page i've been, my exact public and local IP, and my download speed, the social media i am currently logged in, and that there is a devices in my network (i think its my printer).



now with tor, normal connection, normal config, leaving tor at its default size, JavaScript Enabled.

proxy's location
proxy's OS
right browser version (FF 52)
proxy's hardware and down-speed
social media not shown logged-in, yet i never logged in with FF or Tor, so i cant tell.
cant scan network




torJavaScript Disabled:
that website does not show any info

what's my ip sites shows proxy



*Note t…

Angular add more html pages

1. ng-build with your index.html set properly with its components. (or conditional app-components)
2. rename and copy the rendered to (for example) /src/search.html
3. in angular.json (angular-cli.json for pre v5) find "assets":

"assets": [ "src/favicon.ico", "src/search.html", "src/assets" ],
browse localhost:4200/search.html
enjoy :)

OverTheWire[.com] Natas Walkthrough - JUST HINT, NO SPOILERS

game portal: http://overthewire.org/wargames/natas/
PASSWORDS for each level are stored in /etc/natas_webpass/natasX

I made this walkthrough for people like me, i needed some help, but didnt want the spoiler, so here i will give you all the information needed to pass each level, yet not the solution.

For levels needed custom web request i made a different post for powershell and javascript with how-to's, since is a piece of learning for itself, and also for those of us that play at work and have only powershell at their hands. Although its not a complete spoiler there, its quite most of the solution so try yourself 1st.

Natas
The Natas game is from basic to advances web hacking. Every few levels is about whole new exploitation (with some harder ones doing comeback later), so a lot of learning.

If you're new, you're the reason i am writing so much even for the 1st level, just please google EVERY topic you see, since in the following levels i assume you know the previous topi…

Natas Powershell and JavaScript Helper (OverTheWire)

I did most of Natas from work, and there i couldn't have anything but Windows PowerShell, or the browser's console for Javascript, so here are examples how to use it for the game for anyone in the same position.

SPOILER ALERT

even though i tried not to have this a the solutions, its kinda the solution.

Level 4: HTTP Headers


# basics for working with .Net WebClient# create a variable with a value$u="http://natas4.natas.labs.overthewire.org"# creating new Object you need to specify the full namespaces and classes route$wc=New-ObjectSystem.Net.WebClient# this is how you send user and pass $c=New-ObjectSystem.Net.NetworkCredential("natas4","............")$wc.Credentials=$c# adding headers.# # adding a cookie is just "cookie", "name=value".$wc.Headers.Add("header-name","header-value")# download the same html you see in "view-source".# you can also more elegantly store this in a variable and print it lik# …

Javascript Event Oriented Programming example on SPSocialFeed

SPSocialFeed is the sharepoint microblog, where you can post your thoughts and reply on yourself and other.

We wanted to add some functionalities for every reply and post added, so i used the new "MutationObserver" and "CustomEvent" new API's in ES6 to create an event-full way to implement solution
// batman is the man in-charge catching the bad guys in the night.// so now he catches the good events in the feedletbatman=(function(){letconfig={childList:true};letbatman=classbatman{constructor(){this.v="2.0.0";//register call to batCave fn. to _spBodyOnLoadFunctionNames, the SP onready_spBodyOnLoadFunctionNames.push('batman.batCave');}batCave(){letfeed=document.getElementById('ms-feedthreadsdiv');//childNodes can be any type of nodes, like text node. children is only HTMLElements childNodes.letposts=feed.children;letevt=newCustomEvent('feedReady',{detail:{feed:feed,posts:posts}});console.log('batman fire feedReady event');…